Oops, this should've left days ago...
Thanks, that's the kind of thing I'm looking for.
I had recursion no and my rate-limit was way too high (10), probably because I
misunderstood how it works. empty-zones-enable is still somewhat obscure, but
I'll try it.
Best
Ale
On Sat 04/Apr/2026 23:03:36 +0200 Nick Tait via bind-users wrote:
Hi Alessandro.
Not sure if this helps, but these are the options that I’ve added to my
external authoritative view to harden it:
recursion no;
allow-recursion { none; };
max-cache-size 2m;
empty-zones-enable no;
rate-limit {
responses-per-second 5;
window 5;
};
Nick.
On 5 Apr 2026, at 5:34 AM, Mike <[email protected]> wrote:
Alessandro Vesely wrote:
yesterday I got 124,646 queries in ten minutes, between 1:50 and 2:00 AM
UTC, from 4,287 different IPs. The top IP was
2001:19f0:5401:2e01:5400:3ff:fed1:9863 with 47,304 queries for 5,261
subdomains
Are there any I should enable?
Probably. What's available depends on your firewall.
Nftables can do rate limiting to the port, regardless of source IP, though
that would affect legitimate traffic, too. Rate limiting by source IP
block looks like it would help a lot, too, in this case.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
